Report: CTS Labs has proof-of-concept code for AMD vulnerabilities

As you may have heard, a group calling itself CTS Labs yesterday revealed what it claims are no less than 13 security vulnerabilities in AMD hardware. There's a cloud of controversy and confusion surrounding the announcement, the manner in which it was made, and the motivation behind it. Ars Technica and TechPowerUp (TPU) have both done some digging and came up with a little more info.

TechPowerUp reportedly contacted CTS Labs directly. The group told TPU that it had provided "a complete research package" including "functional proof-of-concepte exploit code" to AMD, Microsoft, HP, Dell, Symantec, FireEye, and Cisco Systems. Furthermore, CTS Labs admitted to TPU that it did indeed wait just one day after informing AMD before going public with its findings.

Meanwhile, Ars Technica hooked up with a number of security and processor experts. The site has a pretty detailed write-up that's worth reading in its entirety. To sum up, Ars was told that the vulnerabilities are real but of limited concern due to the requirement of administrator-level access to the affected systems. TR friend and occasional podcast guest David Kanter told Ars that "all the exploits require root access [...] if someone already has root access to your system, you're already compromised."

That doesn't mean that the exploits are of no consequence. Security expert Dan Guido (founder of Trail of Bits) claims he had access to CTS' code package and told Ars that the exploits "work as described" to "make a bad compromise significantly worse." That is, if an unauthorized user is able to gain the required administrative access, these exploits could allow them to place a backdoor on the system that would be undetectable without extensive analysis and could require hardware replacement as a mitigation.

For its part, AMD says that it's investigating the report. It's barely been two days since the company was informed about these flaws—a fact which has been the source of a lot of argument on the web. Companies are usually given at least 90 days to deal with security flaws before they are made public. The lead time before the Meltdown and Spectre exploits were made public was nearly half a year. Whatever its motivations are, CTS Labs' research does seem to be at least partially accurate.